Fake VPN website delivers malware

Real VPN client comes bundled with banking Trojan

Shares

(Image credit: Shutterstock)

Criminals are cloning the website of popular VPN software to try and trick users into downloading malware.

According to new research, the cybercriminals responsible for breaching and utilizing the website of the free video editor VSDC to distribute malware have begun to create fake websites to accomplish the same goal.

Previously the group hacked legitimate websites to use their download links to spread malware but now they have turned to cloning websites to deliver the Win32.Bolik.2 banking Trojan to the devices of unsuspecting users.

The cybercriminals have created a perfect clone of NordVPN's website to trick users into downloading the Win32.Bolik.2 banking Trojan which was discovered by researchers at Doctor Web.

In addition to being an almost exact copy of the company's website, the cloned website even has a valid SSL certificate issued by the open certificate authority Let's Encrypt. This helps the fake website appear more legitimate while also allowing it to bypass browser security checks.

Cloned websites

In a blog post announcing their discovery, Doctor Web's researchers explained what the Win32.Bolik.2 banking Trojan is capable of after being installed on a user's device, saying:

“The Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus. Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.”

The cybercriminals behind this malicious campaign are focusing on English-speaking targets and thousands of users have already visited the fake NordVPN website according to the researchers.

Upon visiting the cloned site, users are prompted to download the NordVPN client just as they would be on the legitimate site. To avoid arousing suspicion, the fake site installs the actual VPN client but also leaves the Win32.Bolik.2 banking Trojan on a user's system as well.

As the group's tactics have been successful so far, expect to see other similar cloned sites being utilized to infect user's systems with malware in the future.